Archive for category Security

I’ve recently stumbled upon a script that has become my favorite post-exploitation tool. It’s multi-threaded, contains no local binaries, and no dropper binaries. It provides a plethora of functionality to escalate privileges on the network, all through WMI calls. The tool is CrackMapExec, written by byt3bl33d3r.

Imagine that we’ve compromised credentials on an internal assessment. CrackMapExec can easily be utilized to find where those credentials have elevated privileges. This command executes 100 threads attempting to login to all systems on the 192.168.81.0/24 range:

In case anyone missed it, Metasploit has a couple of new payloads that allow interactive PowerShell sessions. What does that mean? Previously, if you tried to open a PowerShell session within Meterpreter, there was no interaction between PowerShell and your session.

Any command that you type seems to disappear in the ether. Now, thanks to the hard work of
Ben Turner (@benpturner) and Dave Hardy (@davehardy20) at Nettitude, we have full interaction with PowerShell sessions! Their introduction to these modules is here.

To find the new payloads within Metasploit, simply search for “Interactive_Powershell”

This allows us to use all of our favorite PowerShell tools, such as PowerSploit and PowerTools (included in Veil-Framework), from within a Meterpreter session. To avoid downloading the tools to disk, we use “Invoke-Expression” to run the tools directly in memory. I like to host them locally, as opposed to downloading the from the Internet.

You can also load multiple modules all at once by providing a list separated by commas. I cloned the PowerSploit and PowerTools modules to my Apache root, so to enumerate all modules, I simply use “find” to display all PowerShell scripts recursively.

I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often works, but can easily miss systems that have a domain admin kerberos security token still loaded in memory. There are a couple of “Token_Hunter” post modules, but you need to have a shell on the systems to run them, which can take a long time to establish, load incognito, and list tokens. As much as I love shellz, I certainly don’t care to have a couple thousand of them connecting back to my machine. So, I think I’ve finally pieced together a viable method from a couple of articles posted around the Internet.

As any other seasoned pentester, I love using the Metasploit Framework during engagements. Using the database integration helps greatly in keeping all of my reconnaissance scans neatly formatted and easily queried. The “-R” switch was a welcome addition for configuring “RHOSTS” variables within modules (hosts -R, services -p 80 -R, etc…). It utilizes the host and service information within your database to configure modules to target specific hosts instead of sweeping entire ranges. The only piece missing in this utility is that some modules require “RPORT” to be configured as well. I’ll use the “auxiliary/scanner/mssql/mssql_login” module for example. If you used “auxiliary/scanner/mssql/mssql_ping” to scan for SQL servers, it’s very likely that not all of the hosts discovered are running on the old default port 1433, so each non-standard port configuration would have to be tested individually. Previously, to work around this limitation, I would export the results from “mssql_ping” to a text file and use a python script to brute force weak “sa” credentials. Now, I’ve finally figured out how to create a simple resource script to automate the configuration of “RHOSTS” and “RPORT” that i’d like to share.

First, if you’re not familiar with the automation capabilites provided by the Metasploit team, HD wrote a good overview of six different ways to automate the Metasploit Framework. Also, the guys over at Offensive Security have a great intro into the Meterpreter scripting capabilities. Since I’m horrible at ruby scripting, I decided to take the route of a simple resource script, which does take advantage of some simple ruby scripting.

Here is the code:

use auxiliary/scanner/mssql/mssql_login
set USER_FILE /opt/sql_brute/sql_users.txt
set PASS_FILE /opt/sql_brute/sql_wordlist.txt
set VERBOSE false
set THREADS 255
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOSTS #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end

The script is pretty self-explanatory, but lets walk through it quickly. The upper half simply selects the “mssql_login” module and configures the static options. The lower half of the script is where we drop into the ruby interpreter and create some magic. We iterate through all hosts in the database and all respective services. If the service “name” equals “mssql” and the service is “open”, “RHOSTS” is assigned the IP of that system and “RPORT” is assigned that port. Finally, we “run” the module and any successfully brute forced credentials are displayed with their respective host IP.

Here is a quick example, first running the “mssql_ping” module to enumerate SQL servers on the network:

In just a fraction of a second, Metasploit returns successful authentication credentials. This simple script is easy to port to other modules, such as the “auxiliary/scanner/http/tomcat_mgr_login”, “auxiliary/scanner/http/jboss_vulnscan”, or any other module that requires “RHOSTS” and “RPORT” configurations. I would love to see this fucntionality built into Metasploit, but for now, we have a simple workaround. A big thanks goes to the Metasploit Framework development team at Rapid7 for maintainig an incredible framework.

Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:

Metasploit psexec

Metasploit psexec_psh

Windows psexec executable

Impacket psexec python script

pth-winexe

pth-wmis

smbexec

Veil-Catapult

All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.

First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.

This post is a simple introduction to Powershell and a demonstration of a couple of useful ways it can be utilized during the information gathering stages of a pentest. All of the examples are demonstrated using Powershell version 3.0, so unless you are running Windows 8/2012 or above, you will most likely need to download the latest version from Microsoft. To check what version you are currently running, simply run the following command.

Edit: @obscuresec pointed out that you must also have the “Active Directory Module for Windows Powershell” installed/enabled to utilize the following cmdlets. You can find this module in the “Remote Server Administration Tools”, which is a separate download from Microsoft. The module is enabled through the “Programs and Features” Control Panel item.

Assuming that you will be running these commands from a local machine that isn’t joined to the domain, the first requirement for enumerating Active Directory is valid domain credentials, because any valid domain user has full “read” access to Active Directory. If your lucky, these are usually attained via brute force or possibly a compromised host on the domain. This is often the first step towards the fall of the “Domain Admin”. However you attain these credentials, use them to connect to the Active Directory service.

PS C:\Users\TrustedSec> $cred = Get-Credential

When prompted, enter the credentials, which will be saved in the “$cred” variable.

Now we can simply call the “$cred” variable when we want to query the domain service. The first command that I like to run is a query for the list of “Domain Admins”.

Hopefully this sparks your interest in Powershell and helps you on your next pentest. If you haven’t already, you should also check out Matt Graeber’s PowerSploit cmdlets. There are many incredibly useful scripts that he maintains and provides to the community for free. Happy PowerSploiting!

Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it.

First of all, Veil is a nice little payload generator that will generate your windows payload all within Kali. It was created by Chris Truncer using some of the antivirus bypass techniques shared by Dave Kennedy and Debasish Mandal. Chris already has a nice tutorial on how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine.

Finally, you can use CoreLab’s python version of psexec to execute your payload on a remote machine. To install, simply download the latest version of Impacket and run setup.py.

I’m sure every pentester is aware of the WPAD man-in-the-middle trick, but here is my walkthrough of a dirty little trick that utilizes this vulnerability to grab some clear text credentials. If you’re not already aware, there is potential vulnerability that exists in the way that Internet Explorer is configured to “auto detect” its proxy settings. If “Automatically detect proxy settings” is checked in the proxy configuration tab, IE will generate a name lookup request on the network, for a host named “WPAD”, on initialization.

On a corporate network, a DNS entry for “WPAD” should point to a proxy server that hosts a “wpad.dat” file, which tells Internet Explorer where to direct its Internet traffic. If that DNS query fails, the client falls back to WINS, and finally resorts to a local broadcast to try to find a host named “WPAD” on the network. On operating systems of Windows Vista and later, this request is based on a protocol named Link-local Multi-cast Name Resolution (LLMNR).

Here is where the dirty trick comes in. If we are on the same broadcast network as the client attempting to resolve this “WPAD” host, we can create a service that answers that request and claims that we are that host. Another dirty trick is to host the “wpad.dat” file on an HTTP server that requires basic authentication. Who doesn’t try re-entering their credentials when prompted on their corporate network, right?

So, the brilliant folks at SpiderLabs have provided us with an awesome utility, named Responder, that we can use to exploit the scenario described above. To install, use GIT to clone the repository.

Run the script with the “-h” argument to enumerate the available options.

root@kali:/opt/Responder# python Responder.py -h
Usage: python Responder.py -i 10.20.30.40 -b 1 -s On -r 0
Options:
-h, --help show this help message and exit
-i 10.20.30.40, --ip=10.20.30.40
The ip address to redirect the traffic to. (usually
yours)
-b 0, --basic=0 Set this to 1 if you want to return a Basic HTTP
authentication. 0 will return an NTLM
authentication.This option is mandatory.
-s Off, --http=Off Set this to On or Off to start/stop the HTTP server.
Default value is On
--ssl=Off Set this to On or Off to start/stop the HTTPS server.
Default value is On
-S Off, --smb=Off Set this to On or Off to start/stop the SMB server.
Default value is On
-q Off, --sql=Off Set this to On or Off to start/stop the SQL server.
Default value is On
-r 0, --wredir=0 Set this to enable answers for netbios wredir suffix
queries. Answering to wredir will likely break stuff
on the network (like classics 'nbns spoofer' will).
Default value is therefore set to Off (0)
-c 1122334455667788, --challenge=1122334455667788
The server challenge to set for NTLM authentication.
If not set, then defaults to 1122334455667788, the
most common challenge for existing Rainbow Tables
-l Responder-Session.log, --logfile=Responder-Session.log
Log file to use for Responder session.
-f Off, --fingerprint=Off
This option allows you to fingerprint a host that
issued an NBT-NS or LLMNR query.
-F On, --ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On
-L On, --ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On
-D On, --dns=On Set this to On or Off to start/stop the DNS server.
Default value is On
-w Off, --wpad=Off Set this to On or Off to start/stop the WPAD rogue
proxy server. Default value is Off
--lm=0 Set this to 1 if you want to force LM hashing
downgrade for Windows XP/2003 and earlier. Default
value is False (0)

Now, we simply run the script with the basic authentication and WPAD modules enabled, sit back, and wait for the clear text creds to roll in.

Now, how do we protect our corporate networks from this attack? The simplest solution is to create a DNS entry for “WPAD” that points to the corporate proxy server. Even if the server doesn’t actually host a “wpad.dat” file, an attacker won’t be able to exploit the client resolution process (unless, of course, the DNS server is compromised). Another solution is to disable “Autodetect proxy settings” on all Internet Explorer clients, through Group Policy or any other configuration delivery method.

Finally, mimikatz has been accepted into the Metasploit trunk! This post is an update to an earlier post named Dumping Clear Text Passwords. Now, it’s easier than ever to dump clear text passwords from within a Meterpreter session. Let’s walk through an example.

At the time of this writing, “msfupdate” was not pulling down the mimikatz extension for me, so I just copied the required files to their respective locations found here. Now, once we attain a Meterpreter session, we just load the extension and call “wdigest”.

I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers, Shellcodeexec, Powershell injection, modifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.

You’ll notice that I didn’t upload this to VirusTotal to see how many anti-virus vendors detect our payload as malicious. It’s pretty well known now that this is one place anti-virus vendors go to find new payloads that they need to create signatures for detection. So, your best option for testing custom payloads is to simply install the version of anti-virus that you are trying to bypass.

Also, as rel1k stated in his presentation, the stub used to encapsulate the payload is static, so anti-virus vendors could easily create a signature for these payloads. He suggests modifying the source so that it is polymorphic. Alas, I have no idea how to do that right now, so maybe we will cover that in later post. Happy Crypting!